Fraudsters have figured out how to break in to online accounts protected by two-factor authentication, where the authenticating device is your mobile phone.
They don’t steal the phone; they simply hijack the phone number. This enables them to intercept those one-time verification codes sent to that mobile number by text, email, or phone call.
Armed with their victim’s personal information, such as date of birth and last four digits of their Social Security number — information that is widely available on the dark web — these identity thieves trick the wireless carriers into transferring (or porting) their target’s phone number to a new account or device they control. That’s why this is called the “port-out” scam.
Mobile phone hijacking is on the rise. Reports of this crime to the Federal Trade Commission more than doubled between 2013 and 2016, from 1,038 incidents to 2,658. These complaints “represent only the tip of a much larger iceberg,” the FTC noted. NBC News first warned about the scam in June 2016.
Port-out scammers can take over any account where that smartphone is the verification device, such as bank, cryptocurrency, and email and social media accounts, according to a recent warning from Fraud.org, run by the National Consumers League.
“Most victims find out about this when they go to use their cellphone and it won’t work."
“Most victims find out about this when they go to use their cellphone and it won’t work,” said John Breyault, NCL’s vice president of telecommunications and fraud. “Unfortunately, by the time they call the carrier and figure out what’s happened, the scammer has already used that hijacked cellphone number to log in to things like their bank account and drain all the funds out of it relatively quickly.”
That’s how cybercrooks stole all the money in Jesse Kloeppner’s Wells Fargo bank accounts earlier this year. Late one night, Kloeppner, who lives in Shoreview, Minn., saw an email on his smartphone that said he had just transferred $1,799 to another account — something he hadn’t done.
“I tried to call the bank from my cellphone and it said, ‘No service,’ so I'm kind of freaking out,” he said. “And I couldn’t log in to my T-Mobile or my Wells Fargo accounts because my passwords had been changed.”
Based on what he learned from the bank and the phone company, Kloeppner told NBC News what most likely happened. The phone bandits opened a new mobile account with another company and then contacted T-Mobile to have the service switched.
Armed with just his Wells Fargo user name — they didn’t have his password — the hackers requested a password change and just waited for the one-time authentication code to be texted to his phone number, which they now controlled. Once they had the new password, they logged in and transferred out all the money.
T-Mobile apologized and the bank returned the money, since this was a fraudulent transaction, but Kloeppner found the experience to be “terribly frightening" and has since set up a password to provide port-out protection.
T-Mobile told NBC News it has seen an uptick in this type of scam and is "encouraging customers to add extra security features to their accounts." T-Mobile customers can call 611 to have port validation added to an account.
Kloeppner also reported his experience to the Better Business Bureau’s Scam Tracker network, a site that helps the BBB investigate and warn others about rip-offs and scams.
How the scam works
The port-out scam can take place at a wireless store or online, but in both cases, the impostors have enough information to convince the phone company that they are who they claim to be and have that person’s phone service transferred to their mobile device.
“And with a smartphone, if you're on Wi-Fi, everything's going to work except the actual calling and texting, so you may not even notice right away that something's wrong with your phone — which can give the scammers a few hours of lead time,” said Katherine Hutt, director of communications for the Council of Better Business Bureaus. “If that ever happens, if you can't make calls or receive calls, immediately contact the phone company and see if your number has been ported.”
The wireless industry is well aware of the port-out scam. In January, T-Mobile posted a warning on its website and started encouraging customers to add a port validation feature — a 6-to-15-digit passcode — to their account. AT&T published a blog post in late February, Prevent Porting to Protect Your Identity. CTIA also issued a news release earlier this month: Protecting your accounts against number porting.
“There is a reported increase in activity and I think the carriers are addressing the problem to ensure that it doesn't get worse,” said John Marinho, CTIA’s vice president of technology and cybersecurity. “The way that we address it is to be very vigilant.”
“No system is foolproof,” Marinho told NBC News, but employees at call centers and in retail stores go through “pretty rigorous training” about the port-out scam, he said.
Lorrie Cranor, a cybersecurity expert at Carnegie Mellon, believes better authentication procedures are needed before cellphone service can be switched. Cranor was the victim of the port-out scam two years ago. At the time, she worked at the FTC and wrote about her experience.
An ID thief walked into a wireless store, claimed to be Cranor, said she had lost her phone and needed service changed to a new device. The real Cranor was talking on her cellphone at the time, so if the store employee had simply called her, she could have stopped the scammer.
Cranor told NBC News she believes there are ways wireless companies can balance increased security with a customer’s legitimate needs to change their phone service. She suggests a security protocol that requires the phone company to text or call the phone of the registered owner before service is ported to another phone. (Some carriers offer this security option.)
If someone truly loses their phone, or there’s no way to get confirmation one way or another, then the customer service representative would need to go to the next level of authentication, Cranor said.
How to protect yourself
No one’s suggesting two-factor authentication is a problem. It’s clearly a powerful weapon to stop cybercrime, but it’s not perfect. And when it comes to protecting your mobile devices, there are other things you need to do.
If you haven't already done so, call your wireless carrier and ask for PIN authentication for your accounts. Sprint requires customers to create a PIN when they open a new account. Here’s what to do with the other major carriers.
- AT&T: Log into your ATT.com account, go to your profile by clicking your name, and under the wireless passcode drop down menu, click on “manage extra security.”
- T-Mobile: Call 611 from your cellphone or (800) 937-8997 to speak with customer service.
- Verizon: Visit vzw.com/PIN or call (800) 922-0204.
For those who want to go one step further, Fraud.org has this recommendation: See if your accounts that use two-factor authentication offer an app-based way, such as Authy or Google Authenticator, to receive that one-time verification code.